The United States healthcare sector faces an unprecedented cybersecurity crisis, experiencing twice as many breaches in 2025 as it did in 2024. According to a new analysis of insurance claims data from Resilience, the average incurred losses in the sector last year topped $2M. With lives at stake, the cost of disruption is staggering — in turn making healthcare organizations a primary target for threat actors looking for bigger payouts. 

Adding fuel to the fire, healthcare organizations are also facing increasing regulatory pressure amidst finite budgets and even more limited staffing resources. This perfect storm means that in 2026, healthcare cybersecurity leaders must prioritize the investments that meaningfully reduce material risk while fitting into their operational budget. 

Amidst all the noise, how can leaders learn what those investments are? The Risk Operations Center at Resilience recently conducted an analysis of incidents, claims, and loss data across healthcare organizations in its portfolio to identify new, data-driven benchmarks for healthcare security leaders seeking the levers with the highest ROI to protect their patients’ data — and well-being. 

Here are those top five levers. 

Companywide Anti-Fraud Training

Social engineering remains a dominant driver of material losses across observed healthcare cyber loss events, fueling 88% of material losses in the portfolio in the first half of 2025. In healthcare specifically, a security-focused culture, including continuous, internal training against fraud and phishing scams, is what delivered a high reduction in value at risk. The analysis found that within healthcare organizations, phishing training programs reduced risk by $110K. 

In 2026, organizations should establish continuous anti-fraud training programs that build a security-focused culture. Personnel must be trained to slow down and adopt a mindset of healthy skepticism, critically assessing any communication or request that triggers a sense of unease or suggests potential malicious pressure. Prioritizing robust training and education is one of the most effective ways organizations can reduce human error and improve security posture. 

Breach and Attack Simulation on EDR Platforms

A good cyber posture isn’t about being invulnerable to an attack, but knowing how to ensure business continuity and protect patients in the case of a breach. But organizations can’t protect against what they can’t see. They need to know where the gaps in their system are and be ready for a breach in those areas. 

Specifically, endpoint detection and response (EDR) tools are now common across healthcare environments, but many deployments contain blind spots due to misconfiguration, incomplete coverage, or outdated detection logic. Organizations that routinely conduct breach and attack simulations (BAS) or penetration tests to validate EDR and endpoint controls were better positioned to identify and remediate detection gaps before an incident.

It’s no longer acceptable to assume EDR coverage is effective. Healthcare organizations have to continuously validate it to ensure these capabilities will perform as expected during a real-world incident. 

Role-Based Access Controls 

Role-based access controls (RBAC), on average, reduced extreme loss by $2.4M, making it one of the highest loss-prevention controls in the portfolio. Privileged access protections help secure highly sensitive patient information and reduce regulatory, legal, and notification exposure following an incident. For healthcare organizations with sprawling systems, diverse user types, and sensitive data being stored, formalizing access controls reduces unnecessary access paths and limits lateral movement during an intrusion.

RBAC that formalizes access permissions across these sprawling systems should be prioritized. They dramatically reduce the risk of exposure and limit the potential scope of a breach. Without these controls, once an attacker gains access to credentials in an organization’s system, they can move anywhere they want, wreaking havoc. Organizations don’t need complex systems to keep attackers out; they need simple controls to minimize damage. 

Dual Authorization for Wire Transfers

Using AI, threat actors are improving the pace and sophistication of social engineering attacks targeting finance teams. According to a recent World Economic Forum survey, 87% of cybersecurity teams believe AI-driven risk has increased in the last year. The use of AI-enabled impersonation has made it even more difficult to identify a wolf in sheep’s clothing in your network. Once a wire transfer goes to a bad actor, the chances of recovering that large sum are slim. 

One of the best ways to avoid this type of fraud in wire transfers of large payments is to implement dual authorization. Requiring two people to sign off on wire transfers adds a crucial layer of redundancy that can easily disrupt fraud. The two sets of eyes approach is incredibly useful for spotting inconsistencies, recent or unexpected changes, or other anomalies that a single reviewer might miss. This requires minimal technical investment relative to the losses it helps prevent; what may seem like a straightforward control has proven to be one of the best protections against financially motivated fraud. 

MFA for Email Access

While the human element remains a primary risk focus and training is an essential first step, humans are fallible. It’s crucial to create a barrier against phishing and business email compromise attacks, which are common entry points for threat actors. Given the high-value, sensitive nature of Protected Health Information (PHI) that healthcare organizations are responsible for, securing email platforms is an important step for reducing cyber risk. Multi-factor authentication (MFA) for email remains one of the highest-ROI controls for reducing phishing and credential-based losses. This foundational security layer continues to outperform many more complex or costly tools in terms of reducing initial access through email compromise. 

For optimal security, prioritize authenticator applications and physical security keys as they offer stronger protection against phishing and man-in-the-middle attacks than less secure methods such as SMS or voice calls. 

For healthcare organizations entering 2026 without MFA on email, closing that gap should be treated as foundational risk reduction, rather than a discretionary security enhancement.

The Big Picture

Healthcare organizations stand at a critical juncture. Social engineering is more sophisticated, and threat actors are looking for bigger payouts, making healthcare a primary target for attacks. But this insight, based on real insurance data rather than platitudes or fearmongering, reveals a brighter picture for healthcare organizations willing to take action. 

By focusing on the five proven controls listed above, healthcare organizations can achieve significant reductions in cyber risk. The path to battery security is clearer than ever — now it’s up to healthcare organizations to install the practices that actually move the needle in reducing cyber risk.